A threat actor known as eGobbler is taking advantage of a vulnerability in the Chrome web browser for iOS to target iPhone users with an exploit that serves up malicious advertising. According to researchers at security vendor Confiant, the malvertising campaign has served up more than 500 million malicious ads since it started ten days ago.
What is malvertising?
Malicious advertising, malvertising for short, is where seemingly legitimate adverts are displayed which actually contain underlying code that redirects users to fraudulent or malicious content. In the case of the eGobbler campaign targeting iOS users, the threat actor has infected legitimate advertising servers which are then used to deliver adverts that redirect the user to a pop-up competition scam window. The payload for the attacker is two-fold as they can earn money from the adverts being displayed as well as using the landing pages to distribute malware or collect user data. eGobbler is the name that has been given to the threat actor, thought to be a well organized criminal group, thanks to the huge volumes of hits that the malicious advertising campaigns it runs achieve. The group has been active for some time and the campaigns it runs are usually only stay active for a couple of days and then go quiet before for a short time before the next wave begins. This pattern of activity has been noted by researchers investigating the ongoing malvertising campaign.
What’s the Chrome vulnerability?
Chrome for iOS, which runs on Webkit rather than using the Chromium engine, incorporates what is known as sandboxing technology that prevents advertising injection code from interacting with other components in a way that might be a security threat. In particular, the Chrome sandbox should prevent malicious adverts from being able to hijack the browser session and launch a pop-up window without any user interaction or to redirect the user to landing pages they are not expecting. Confiant researchers have yet to reveal the precise mechanism by which eGobbler has bypassed the Chrome for iOS sandboxing, in order to give Google time to issue a patch, but say that “the fact that this exploit is able to bypass that need for user interaction should be impossible according to the same-origin policy as it pertains to cross-origin iframes. Furthermore, this completely circumvents the browser’s anti-redirect functionality, as the attacker no longer needs to even spawn a redirect in order to hijack the user session.” The security researcher who uncovered the vulnerability, Eliya Stein, tweets that this “is technically a chrome pop-up blocker bypass, but in a way it’s a sandbox bypass, because it hijacks the session with a pop-up instead of a redirection.”
The security industry view
In conversation with Ian Thornton-Trump, head of cybersecurity at AmTrust Europe, he told me that this is problematic as it highlights the grey area between operating system and browser. “Who is ultimately responsible for the security of a device” Thornton-Trump asks, “the manufacturer or the giant software company making the world’s most popular browser?” There can be little doubt, as Thornton-Trump points out, that after the operating system itself the web browser client is the most sophisticated application installed on mobile devices today.
What do you need to do now?
Stein states that “where standard sandboxing rules would ultimately succeed in blocking certain redirections, they consistently failed to protect users from this campaign on iOS Chrome.” Stein adds that the Google Chrome team was notified about the vulnerability on April 11 and a working proof of concept supplied. “They responded in a timely manner within several hours of the report” Stein says and are currently investigating the issue although the vulnerability currently remains unpatched. If history repeats itself then the malvertising campaign could be about to start another wave of attacks as eGobbler tends to launch these around holidays. This weekend is, of course, the Easter holidays. While awaiting a patch to fix this, iPhone users should take extra care about what they click, especially in adverts and pop-ups. If you find yourself on a website where such pop-ups are being served then it’s recommended you shut down your browser immediately and stay away from that site for a couple of days. The eGobbler campaigns only tend to stay active for 48 hours after which they move to the next target. Ian Thornton-Trump adds that users should “upgrade as soon as they can with regard to both iOS and the Chrome browser” as a matter of general security hygiene, concluding “if you can’t upgrade either one then it’s time for a new device…”